cbcvebase.
CVE-2017-2522
published 2017-05-22

CVE-2017-2522: An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
6.59%
93.0th percentile
An issue was discovered in certain Apple products. iOS before 10.3.2 is affected. macOS before 10.12.5 is affected. tvOS before 10.2.1 is affected. watchOS before 3.2.2 is affected. The issue involves the "CoreFoundation" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted data.

Affected

8 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os< 10.3.210.3.2
applemac_os_x< 10.12.510.12.5
applemacos_sierra_10.12.5_security_update_2017-002_el_capitan_and_security_update_201
appletvos< 10.2.110.2.1
appletvos
applewatchos< 3.2.23.2.2
applewatchos

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42049.zip
filenamelonger_patched.bin
bytes
24 76 65 72 73 69 6F 6E 58 24 6F 62 6A 65 63 74 73 59 24 61 72 63 68 69 76 65 72 54 24 74 6F 70
  • The vulnerability is triggered by deserializing a crafted NSCharacterSet object via NSKeyedUnarchiver. Monitor for processes receiving or unarchiving NSKeyedArchive payloads containing oversized NSCharacterSet bitmap data, which triggers memory corruption in NSCharacterSetCFCharacterSetCreateWithBitmapRepresentation.
  • Look for NSKeyedArchiver-formatted binary files (containing magic bytes $versionX$objectsY$archiverT$top) being written to or read from AFC-accessible paths on iOS devices, which may indicate exploitation via lockdownd-exposed services over USB.
  • Detect XPC services accepting NSKeyedArchive messages without a class whitelist (insecure mode), particularly those accepting broad base classes like NSObject, as these are exploitable for sandbox escape or privilege escalation via this CVE.
  • Monitor iOS apps that serialize application state to NSKeyedArchives without secure coding enabled, as crafted archive files written to disk can serve as a memory-corruption-based persistence mechanism.
  • Flag IPC messages or deserialized objects where __CFCSetGetAnnexPlaneCharacterSet is called with plane=0 after plane=1 in the same bitmap parsing loop, as this is the specific code path leading to the out-of-bounds write.
  • ·NSXPC attack surface for this CVE is limited to services that accept overly broad base classes (e.g., NSObject) or classes with vulnerable deserializers, because NSXPC enforces upfront type whitelisting in secure coding mode.
  • ·USB-based exploitation via lockdownd requires the attacking host to possess a valid pairing record for the target iOS device; unpaired hosts will trigger user-visible prompts.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.